JP6964277B2 - Communication blocking system, communication blocking method and program - Google Patents

Description

The present invention relates to communication control at the time of abnormality in an in-vehicle network system in which an electronic control unit mounted on a vehicle communicates.

In recent years, a large number of electronic control units (ECUs: Electronic Control Units) are arranged in an automobile for controlling various parts of the automobile. The ECU constitutes a communication network called an in-vehicle network system. The in-vehicle network system is constructed according to, for example, the CAN (Control Area Network) standard defined by ISO11898, and a plurality of ECUs communicate with each other via a bus which is a transmission line for cooperation.

According to the CAN standard, the ECU that is the transmitting node transmits a frame as a message with a predetermined ID (also referred to as a message ID) indicating the type, and each ECU that is the receiving node is predetermined for each ECU. Receives the frame with the ID.

In such an in-vehicle network system, if a communication failure occurs due to a cyber attack, or if an ECU related to operation control is hijacked and an illegal message is sent, it may cause great damage that threatens the safety of the occupants or the surroundings. Therefore, various security measures have been devised. For example, the connection state between the communication device on the network and the communication line can be switched with a switch, and the switch that connects to the communication device identified as sending an invalid message is turned off to disconnect the connection with the network. Therefore, a technique for suppressing the influence on other communication devices has been proposed (see, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2017-60057

However, if an ECU that sends an illegal message (hereinafter, also referred to as an illegal ECU) cannot correctly identify the illegal ECU that is disguised as another ECU, that is, it is spoofing, the connection is inadvertently disconnected. In addition, if an illegal determination is made and the connection of another safe ECU is disconnected, emergency stop or evacuation cannot be performed correctly, and the safety of the automobile cannot be ensured.

Therefore, the present invention provides a communication blocking system or the like that can further enhance the security of an automobile by suppressing the diffusion of adverse effects of the operation when an ECU that performs an illegal operation including spoofing is present on the in-vehicle network system. ..

In order to solve the above problems, the communication blocking system according to one aspect of the present invention can transmit and receive data between a plurality of communication devices and a plurality of groups including a communication line to which the plurality of communication devices are connected. In an in-vehicle network system, a communication unit that receives data from at least a part of the plurality of communication devices included in the first group via the communication line included in the first group among the plurality of groups. And, based on the data received by the communication unit, the communication abnormality in the first group is detected, and based on the content of the detected communication abnormality, a predetermined communication interruption between the plurality of groups is executed. A determination unit for determining whether or not to perform a predetermined communication interruption and a switching unit for executing the predetermined communication interruption when the determination unit determines to execute the predetermined communication interruption are provided, and the predetermined communication interruption is the first. Includes blocking the inflow of data transmitted from this group to groups other than the first group.

Further, the communication blocking method according to one aspect of the present invention is used in an in-vehicle network system capable of transmitting and receiving data between a plurality of communication devices and a plurality of groups including communication lines to which the plurality of communication devices are connected. A communication blocking method executed by a processor included in an information processing device connected to the in-vehicle network system, wherein the plurality of communication lines included in the first group are included in the first group. Data is received from at least a part of the communication device, a communication abnormality in the first group is detected based on the received data, and among the plurality of groups based on the content of the detected communication abnormality. When it is determined whether or not to execute the predetermined communication cutoff and it is decided to execute the predetermined communication cutoff, the predetermined communication cutoff is executed and the predetermined communication cutoff is transmitted from the first group. Includes blocking the inflow of data to groups other than the first group.

Further, the program according to one aspect of the present invention is a program for causing a processor included in the information processing apparatus to execute the above method.

According to the present invention, it is possible to suppress the spread of adverse effects on the in-vehicle network system due to unauthorized operation of the ECU regardless of the presence or absence of camouflage, which contributes to the realization of a highly safe automobile.

FIG. 1 is a diagram for explaining a configuration example of an in-vehicle network system including a communication blocking system according to an embodiment. FIG. 2 is a flow chart showing an example of a series of processing procedures by the communication blocking system according to the embodiment. FIG. 3 is a diagram for explaining a configuration example of an in-vehicle network system including a communication blocking system according to the first modification of the embodiment. FIG. 4 is a flow chart showing an example of a series of processing procedures by the communication blocking system according to the first modification of the embodiment. FIG. 5 is a diagram for explaining a configuration example of an in-vehicle network system including a communication blocking system according to the second modification of the embodiment. FIG. 6 is a flow chart showing an example of a series of processing procedures by the communication blocking system according to the second modification of the embodiment. FIG. 7 is a diagram for explaining a configuration example of an in-vehicle network system including a communication blocking system according to a modification 4 of the embodiment. FIG. 8 is a sequence diagram showing a series of processing procedures by the communication blocking system and the external communication partner according to the fourth modification of the embodiment.

(Findings, etc. that are the basis of the present invention)
The communication system described in Patent Document 1 is provided for the purpose of suppressing the influence of a communication device that transmits unauthorized data on a network on other communication devices.

More specifically, it is determined whether or not communication of the source communication device should be prohibited based on the data received from the plurality of communication devices connected to the communication line via the communication line. Will be done. If it is determined that the communication device should be prohibited, the communication device of the transmission source is specified, and the connection between the communication device and the communication line is disconnected.

The communication device is, for example, an ECU, and the communication line is a CAN bus to which the ECU is connected. Today's automobiles with advanced computerization are equipped with a large number of ECUs, and the in-vehicle network system includes a plurality of CAN buses to which a plurality of ECUs are connected as described above, and further relays communication between these CAN buses. A gateway, which is a communication device, is also included. Further, a switch is provided in the middle of the communication line connecting each ECU and the CAN bus, and the disconnection of the above connection is executed by turning off the switch associated with the specified illegal ECU. NS.

In the above communication system, since the connection is cut in this way, adverse effects on the vehicle-mounted network system due to the unauthorized ECU, for example, the occurrence of an excessive load on the CAN bus and gateway to which the unauthorized ECU is connected can be suppressed.

However, in the above communication system, when the fraudulent ECU impersonates another ECU, the fraudulent ECU is not correctly identified. Therefore, even if the communication between the specified unauthorized ECU and the CAN bus is disconnected, the above-mentioned adverse effect on the in-vehicle network system is not eliminated.

Therefore, in order to further enhance the security of highly information-oriented automobiles, the present inventors have come up with a technique for suppressing the spread of adverse effects due to the above-mentioned fraudulent ECU to the in-vehicle network system regardless of the presence or absence of spoofing.

The communication blocking system according to this technique is an in-vehicle network system capable of transmitting and receiving data between a plurality of groups including a plurality of communication devices and a communication line to which the plurality of communication devices are connected, and the communication blocking system of the plurality of groups. Among them, the communication unit that receives data from at least a part of the plurality of communication devices included in the first group and the data received by the communication unit via the communication line included in the first group. Based on this, a determination unit that detects a communication abnormality in the first group and determines whether or not to execute a predetermined communication interruption between the plurality of groups based on the content of the detected communication abnormality. When the determination unit determines to execute the predetermined communication interruption, the determination unit includes a switching unit that executes the predetermined communication interruption, and the predetermined communication interruption is the first of the data transmitted from the first group. Includes blocking inflow to groups other than one group.

As a result, regardless of the presence or absence of spoofing within the group, it is possible to prevent the adverse effect of the communication abnormality from extending to another group different from the group in which the communication abnormality occurs.

For example, the communication unit receives data from at least a part of the plurality of communication devices included in each of the plurality of groups, and the determination unit receives the data from the plurality of communication devices based on the data received by the communication unit. When a communication abnormality is detected in each group and a communication abnormality is detected in a second group other than the first group among the plurality of groups, the second group is used as the predetermined communication interruption. It may be determined to block the inflow of transmitted data into the first group.

As a result, in the event of a communication error in the in-vehicle network system, a specific group such as a functionally important group can be reliably protected from cyber attacks to ensure the safety of the vehicle. Can be done.

Further, for example, the predetermined communication cutoff may be a cutoff of data transmission / reception between the first group and all groups other than the first group. Alternatively, the predetermined communication interruption may be a total interruption of data transmission / reception between the plurality of groups.

As a result, when a communication abnormality occurs, the spread of adverse effects between groups can be more reliably suppressed regardless of the presence or absence of spoofing on the in-vehicle network system. In particular, regardless of which group the communication abnormality is detected, for example, by ensuring the safety of the domain of the drive system more reliably, the vehicle can be evacuated more reliably. In addition, by eliminating the mutual influence between domains, it is possible to accurately grasp the communication status of each domain, that is, the presence or absence of an abnormality. Furthermore, when a complete shutoff is performed, the subsequent restoration process to the normal state can be executed in a certain procedure, so there is a high possibility that the restoration can be reliably performed in a shorter time, and until the restoration is completed. It is possible to predict the required time more accurately.

Further, for example, the communication unit includes at least a part of a plurality of communication devices included in a second group other than the first group, and a third group other than the first group and the second group. Data is received from at least a part of the plurality of communication devices included, and the determination unit detects a communication abnormality in each of the second group and the third group based on the data received by the communication unit. When the determination unit detects a communication abnormality in the second group and determines that the detected communication abnormality is not in the third group, in the predetermined communication interruption, the first group The interruption of transmission / reception between the user and the second group may be maintained, and the interruption of the inflow of data transmitted from the third group to the first group may be released. Alternatively, when the entire communication unit is blocked, the communication unit receives data from at least a part of a plurality of communication devices included in the second group other than the first group, and the determination unit receives data from at least a part of the communication devices. , The communication abnormality is detected in the second group based on the data received by the communication unit, and when the determination unit identifies that the detected communication abnormality is not in the second group, The blockage of the inflow of data transmitted from the second group to another group may be released from the predetermined communication blockage.

As a result, the in-vehicle network system after the predetermined communication interruption may be performed may improve the convenience of the user, which has once deteriorated, to some extent while ensuring the safety.

Further, for example, the vehicle equipped with the in-vehicle network system has an automatic driving function including a function for executing evacuation, and when the determination unit determines to execute the predetermined communication interruption, the content of the detected communication abnormality is detected. Based on the above, it is determined whether or not to evacuate the vehicle, and when it is determined to evacuate the vehicle, an instruction to execute evacuation by automatic driving may be output.

As a result, when the safety of driving of the vehicle cannot be sufficiently ensured only by blocking communication, the vehicle can be stopped outside the traveling zone of the vehicle such as a road shoulder by automatic driving.

Further, for example, a vehicle equipped with an in-vehicle network system can be manually driven, and when the determination unit determines that the vehicle is to be evacuated, the determination unit outputs an instruction to the occupants of the vehicle to execute the evacuation by the manual driving. You may.

As a result, for example, when the safety of driving of the automobile cannot be sufficiently ensured only by blocking communication, the occupant can act as a driver to continue driving or stop the vehicle.

Further, for example, when an external communication unit capable of communicating with an information processing system outside the in-vehicle network system is provided and the evacuation is executed according to the determination of the determination unit, the external communication unit may be used. Information about data received from at least a part of the plurality of communication devices included in the group in which the data to be transmitted to another group is blocked by the predetermined communication interruption may be transmitted to the information processing system.

As a result, when the vehicle is stopped because the driving safety cannot be sufficiently ensured only by blocking the communication, it is possible to provide information on the condition of the vehicle to the outside of the vehicle.

Further, for example, the external communication unit may receive a signal for remote control of the vehicle from the information processing system.

As a result, the automobile once stopped for ensuring safety can be moved by remote control.

Further, the communication blocking method according to one aspect of the present invention is used in an in-vehicle network system capable of transmitting and receiving data between a plurality of communication devices and a plurality of groups including communication lines to which the plurality of communication devices are connected. A communication blocking method executed by a processor included in an information processing device connected to the in-vehicle network system, wherein the plurality of communication lines included in the first group are included in the first group. Data is received from at least a part of the communication device, a communication abnormality in the first group is detected based on the received data, and among the plurality of groups based on the content of the detected communication abnormality. When it is determined whether or not to execute the predetermined communication cutoff and it is decided to execute the predetermined communication cutoff, the predetermined communication cutoff is executed and the predetermined communication cutoff is transmitted from the first group. Includes blocking the inflow of data to groups other than the first group.

As a result, it is possible to prevent the adverse effect of the communication abnormality from extending to another group different from the group in which the communication abnormality occurs regardless of the presence or absence of spoofing within the group.

Further, the program according to one aspect of the present invention causes a processor included in the information processing apparatus to execute the above method.

As a result, it is possible to prevent the adverse effect of the communication abnormality from extending to another group different from the group in which the communication abnormality occurs regardless of the presence or absence of spoofing within the group.

It should be noted that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer-readable CD-ROM, and the system, the method, the integrated circuit, or the computer. It may be realized by any combination of a program or a recording medium.

Hereinafter, the communication blocking system according to the embodiment will be described with reference to the drawings. The embodiments shown here and modifications thereof are all specific examples of the present invention. Therefore, the numerical values, the components, the arrangement and connection form of the components, the steps (processes), the order of the steps, and the like shown in the following embodiments are merely examples and do not limit the present invention. Among the components in the following embodiments, the components not described in the independent claims are components that can be arbitrarily added. Further, each figure is a schematic view and is not necessarily exactly illustrated.

(Embodiment)
[1-1. Overall configuration of in-vehicle network system]
FIG. 1 is a diagram for explaining a configuration example of the vehicle-mounted network system 10 according to the embodiment.

The in-vehicle network system 10 is an example of a communication network that communicates according to the CAN protocol, and is an in-vehicle network system in a vehicle. The vehicle is, for example, an automobile, and is equipped with various devices (not shown) such as actuators, control devices, and sensors.

The in-vehicle network system 10 includes a gateway (referred to as GW in the figure) 20, a communication blocking system 100, communication lines 91, 92, 93 and 94 (hereinafter, also referred to as communication lines 91 to 94 when collectively referred to), an ECU 32. 33, 42, 43, 52, 53, 62 (hereinafter, also simply referred to as ECU when referring to all or any of these) and 63, DCU (Domain Control Unit) 31, 41, 51 and 61 (hereinafter, hereinafter). , Simply referred to as DCU when referring to all or any of these), TCU (Telematic Control Unit) 70 and OBD2 (On Board Diagnostics 2nd generation) port 80. The in-vehicle network system 10 may further include an ECU other than the above, but here, for convenience of explanation, the above ECU will be focused on.

In terms of hardware, the ECU is a device including, for example, a processor (that is, a microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The memory is a ROM (Read-Only Memory), a RAM (Random Access Memory), or the like, stores a program executed by a processor (that is, a computer program), and holds data for processing by the program. Each ECU realizes various functions for controlling a vehicle, for example, by operating a processor according to a program. The program is composed of a combination of a plurality of instruction codes indicating commands to the processor for each ECU to realize a predetermined function.

Any of the above various devices may be connected to each ECU. The ECU to which the device is connected receives data input from the device and outputs a signal indicating a command for causing the device to perform a predetermined operation. Further, each ECU is connected to any of communication lines 91 to 94, which is a CAN bus, and communicates with other ECUs. However, the communication line to which the connection is made differs depending on the function of each ECU. For example, the ECUs 32 and 33 that function as a drive system are connected to the communication line 91. Further, for example, the ECUs 42 and 43 having the functions of the ADAS (Advanced Driver Assistance System) system are connected to the communication line 91. Further, for example, the ECUs 52 and 53 that carry out the functions of the body system are connected to the communication line 93. Further, for example, the ECUs 62 and 63 having functions of the infotainment system are connected to the communication line 94.

Such functionally interrelated ECUs are called domains. In the vehicle-mounted network system 10 according to the present embodiment, the ECUs belonging to one domain are intensively connected to a common communication line to form one group. In the example of FIG. 1, the domains to which the ECUs connected to the communication lines 91 to 94 belong are called the drive system domain 30, the ADAS system domain 40, the body system domain 50, and the infotainment system domain 60. Further, each domain includes a DCU that plays a management role of the operation of the ECU belonging to the domain, and is connected to the corresponding communication line. As each DCU, the one common to the ECU may be used in terms of hardware. A method of collectively managing a plurality of ECUs in domains according to the relevance of their functions can also be used, for example, to facilitate design diversion to other vehicle models.

The ECU and DCU are examples of communication devices according to the present embodiment, and are collectively referred to as communication devices below.

Communication lines 91 to 94 are connected to the gateway 20 to control communication between domains. The gateway 20 can be realized by a device including basically the same components as the ECU.

The TCU 70 connected to the gateway 20 is a communication module for enabling communication between the in-vehicle network system 10 and the outside. Examples of communication destinations include providers of services for users by vehicle manufacturers such as SOC (Security Operation Center). Alternatively, an organization that provides road service and an organization that responds to emergencies such as emergency may be included in the candidates for communication.

Further, the OBD2 port 80 further connected to the gateway 20 is a port for outputting data generated by the in-vehicle self-diagnosis function. For example, a predetermined device can be connected to the OBD2 port 80, and a failure code indicating the type of abnormality that has occurred can be collected from each ECU.

The communication blocking system 100 is in a position to relay the connection between the gateway 20 and the above four domains in the in-vehicle network system 10. Next, the configuration of the communication blocking system 100 will be described including the relationship with other components of the communication blocking system 100.

[1-2. Communication cutoff system configuration]
The communication blocking system 100 includes communication units 14A, 14B, 14C and 14D (hereinafter, also referred to as communication unit 14 when referring to all or any one or more of them), switching units 13A, 13B, 13C and 13D (hereinafter, hereinafter,). When referring to all or any one or more of these, it is also referred to as a switching unit 13), a determination unit 11, and a storage unit 12.

The communication unit 14 is connected between the ECU and DCU and the gateway 20 of the communication line of each group, and receives the data output by the ECU and DCU included in the group. In the example of this embodiment, the communication unit 14A receives the data transmitted from the communication device belonging to the drive system domain 30. Further, the communication unit 14B receives data transmitted from a communication device belonging to the ADAS domain 40. The communication unit 14C receives data transmitted from a communication device belonging to the body domain 50. The communication unit 14D receives data transmitted from a communication device belonging to the infotainment domain 60. The communication unit 14 transfers the received data to the determination unit 11.

The determination unit 11 detects a communication abnormality in each group based on the data received from the communication unit 14. Further, based on the content of the detected communication abnormality, it is determined whether or not to execute a predetermined communication interruption between the groups. The communication abnormality here is caused by, for example, hijacking by a cyber attack, installation or failure of an unauthorized ECU unrelated to the user's intention, etc., and one or more ECUs on the in-vehicle network system 10 connect an unauthorized message. Refers to the situation of sending to the previous CAN bus. When it is determined to execute the predetermined communication cutoff, the determination unit 11 controls the switching unit 13 to execute the predetermined communication cutoff. The predetermined communication interruption relates to which of the switching units 13 is turned off, and the details will be described later.

The switching unit 13 is a switch provided between the ECU and the DCU and the gateway 20 of the communication lines 91 to 94, respectively, and is normally in the ON state, and the ECU and the DCU via the communication lines 91 to 94 respectively. A communication path between the gateway 20 and the gateway 20 is established. Further, the switching unit 13 is turned off according to the control from the determination unit 11, and blocks this communication path, that is, executes communication blocking. In the example of the present embodiment, the switching unit 13A switches the establishment and blocking of the communication path between the communication device belonging to the drive system domain 30 and the gateway 20, that is, the communication path between other domains. Further, the switching unit 13B switches the establishment and blocking of the communication path between the communication device belonging to the ADAS domain 40 and another domain. The switching unit 13C switches the establishment and blocking of the communication path between the communication device belonging to the body system domain 50 and other domains. The switching unit 13D switches the establishment and blocking of the communication path between the communication device belonging to the infotainment domain 60 and another domain.

The position of the switching unit 13A on the communication path along the communication line 91 may be between the drive system domain 30 and the gateway 20, and the communication unit 14A and the gateway 20 shown in the example of FIG. 1 Not limited to the time. The same applies to the positions of the switching unit 13B, the switching unit 13C, and the switching unit 13D on the corresponding communication paths.

The storage unit 12 is a ROM, RAM, or the like, and stores a program for realizing the functions from the detection of the above-mentioned communication abnormality by the determination unit 11 to the determination regarding the execution of the communication cutoff, and holds the data as needed.

The communication cutoff system 100 having the above configuration can be realized by one or more devices including basically the same components as the ECU. It can also be realized as a device integrated with the gateway 20.

[1-3. motion]
Next, the operation of the communication blocking system 100 having the above configuration will be described. FIG. 2 is a flow chart showing an example of a series of processing procedures by the communication blocking system 100 in the in-vehicle network system 10.

First, the communication unit 14 receives the data output to the communication lines 91 to 94 to which each communication device is connected via the communication line to which the communication device 14 is connected (step S20).

Next, the determination unit 11 determines each communication line or a communication device connected to the communication line based on the data received by the communication unit 14 (hereinafter, the group is the place where the communication abnormality occurs or the target affected by the communication abnormality). If a communication abnormality has occurred in the communication line and the connected communication device without particular distinction), this communication abnormality is detected (step S22). To detect communication abnormalities, various methods using the reception interval between messages, the degree of deviation from the predetermined transmission cycle of messages with the same ID, the validity of data values, the message authentication code, or a combination of these information are used. It can be used.

When no communication abnormality has occurred (No in step S22), the message of the data is transmitted to the gateway 20 via the switching unit 13 in the ON state on each of the communication lines 91 to 94. The gateway 20 transfers the received message between the communication lines 91 to 94 according to a predetermined rule. Further, the communication unit 14 receives the next data (step S20).

When a communication abnormality has occurred (Yes in step S22), the determination unit 11 further determines whether or not to execute a predetermined communication interruption based on the content of the communication abnormality detected in step S22 (step S24). ..

The content of the communication abnormality here is information obtained based on the information used for detecting the communication abnormality mentioned above, and can be said to be a type of communication abnormality. This type includes, for example, a location where a communication abnormality occurs (domain or communication line 91-94), a device which is adversely affected by the generated communication abnormality (ECU, DCU, gateway 20, communication line 91-94, or domain unit). It depends on the details of the adverse effect (control of steering or acceleration / deceleration, recognition of objects outside the vehicle, effects on doors, lights, indicators, audio equipment, air conditioners).

If the communication interruption is executed (Yes in step S24), the details of the communication interruption to be executed are also determined. For example, the storage unit 12 is a table in which the above-mentioned various communication abnormalities are associated with the necessity of communication interruption according to the degree of influence on the continuation of safe driving of the vehicle and the communication interruption pattern when necessary. Is stored, and when the determination unit 11 acquires the information on the content of the communication abnormality, it determines whether or not to execute the communication cutoff by referring to this table (step S24), and if it executes it (in step S24). Yes), the pattern may be acquired as information indicating a predetermined communication interruption. Alternatively, in this table, various communication abnormalities are associated with points or ranks according to the degree of influence on the continuation of safe driving of the vehicle, and the determination unit 11 cuts off communication according to the points or ranks. You may decide whether to do it.

Further, as described above, the predetermined communication interruption relates to which of the switching units 13 is turned off. The basic purpose of communication interruption is to obtain the effect of blocking the inflow of malicious messages from the group in which a communication abnormality is detected to one or more other groups. Hereinafter, examples of communication blocking patterns for achieving such an object will be given below, including variations thereof.

(1) For example, the switching unit 13 corresponding to the group in which the communication abnormality is detected may be turned off. As a specific example, when a communication abnormality in the body domain 50 is detected, the switching unit 13C is turned off. As a result, the above effect can be obtained. Further, since communication with other parts of the in-vehicle network system 10 is cut off in group units, even if there is spoofing between communication devices in the group, the other groups and the gateway 20 are adversely affected by the communication abnormality. Is suppressed. In addition, spoofing may be performed across domains, and if communication from a group including an illegal ECU to another group is blocked, cyber including spoofing to another group's ECU by this illegal ECU. You can cut off the path of the attack.

(2) Further, for example, all the switching units 13 may be turned off except for the group corresponding to the group in which the communication abnormality is detected. As a specific example, when a communication abnormality in the body domain 50 is detected, the switching units 13A, 13B and 13D are turned off. In this pattern, although the above effect can be obtained, it becomes impossible to send and receive data between groups in which no communication abnormality is detected. In addition, the load on the gateway 20 from the group in which the communication abnormality is detected increases. However, in this case, since the gateway 20 does not transfer data between groups, for example, if the gateway 20 has a function of resolving a communication abnormality, more resources can be allocated to execute this function. can.

(3) For example, when there is a predetermined group that requires high protection for the continuation of safe driving of the vehicle and a communication abnormality is detected in a group other than this predetermined group, the predetermined group The switching unit corresponding to the group may be turned off. As a specific example, assuming that the group including the drive system domain is the above-mentioned predetermined group, when a communication abnormality in the body system domain 50 is detected, the switching unit 13A is turned off. That is, in this pattern, the inflow of messages from other groups including the group in which the communication abnormality is detected to a predetermined group that needs high protection is blocked. In addition, while ensuring the safety of the group that needs high protection, the effect of maintaining the convenience for the user to some extent by minimizing the restriction of the function due to the communication interruption in the entire in-vehicle network system 10. You can expect it. In the above specific example, only the switching unit 13A is switched to the off state, but in addition, the switching unit 13C corresponding to the group in which the communication abnormality is detected may also be switched to the off state. As a result, for the two groups in which no communication abnormality is detected, it is possible to prevent the spread of adverse effects from the body domain 50 and minimize the function limitation. Further, the number of predetermined groups is not limited to one. Even if a plurality of predetermined groups are set and a communication abnormality is detected in any of the other groups, the plurality of switching units 13 corresponding to the predetermined group may always be switched to the off state. Within a plurality of predetermined groups, or according to the high need for protection, the priority for turning off the switching unit 13 is set among the groups, and depending on the content of the detected communication abnormality. The switching unit 13 to be turned off may be selected and determined from those corresponding to the group having a high priority. Further, whether or not the group is a predetermined group is not limited to the example based on the degree of necessity of protection from the safety aspect used in the above description, and may be selected by the user, the manufacturer, or the like. The same applies to the priority.

(4) In addition, various forms of redundant communication interruption may be performed. Redundant communication interruption means, for example, when a communication abnormality is detected in any one or more groups, in addition to the communication in which the group is the transmitting side or the receiving side, the group is also the transmitting side and the receiving side. It is to include non-redundant communications in the target of blocking.

For example, communication with a group including the domain of the drive system may be always blocked regardless of which other group has detected a communication abnormality. As a result, the safety of the domain of the drive system is ensured more reliably, and the vehicle can be evacuated more reliably, which will be described later. In this case, if functionally possible, the switching unit 13 includes at least the inflow of data from all other groups into the group including the drive system domain, while including the drive system domain. The data from the group may not be blocked and may be sent to another group for the purpose of monitoring by the driver or using it for evacuation described later.

Further, for example, when a communication abnormality is detected in any one group, all the switching units 13 may be turned off. Even by such communication blocking, the above-mentioned effect of blocking the inflow of malicious messages from the group in which the communication abnormality is detected to another group can be obtained. Further, regardless of whether the spoofing by the unauthorized communication device generated on the in-vehicle network system 10 is performed within the group or between the groups, the adverse effect in the in-vehicle network system 10 spreads quickly and quickly. It can be suppressed more reliably. In addition, by eliminating the mutual influence between domains, it is possible to accurately grasp the communication status of each domain, that is, the presence or absence of an abnormality. Further, when the system on the in-vehicle network system 10 has a configuration for recovering from an abnormality, the procedure of the subsequent returning to the normal state is standardized regardless of the content of the communication abnormality that has occurred. Therefore, there is a high possibility that the recovery can be reliably performed in a shorter time than in the case where the group blocked from the in-vehicle network system 10 differs depending on the content of the communication abnormality that has occurred, and the time required to complete the recovery can be predicted. It can be done more accurately.

(5) Further, as a derivative communication interruption of the above example (4), the condition for the communication abnormality for all the switching units 13 to be turned off may be more limited. For example, it may be a condition for all the switching units 13 to be turned off that the degree of danger to the running safety of the vehicle exceeds a certain level. To give a specific example, when a communication abnormality is detected in a predetermined group having a high importance in terms of safety, all the switching units 13 may be turned off. Further, for example, when a communication abnormality is detected in a predetermined combination of groups, all the switching units 13 may be turned off. Further, for example, when a communication abnormality is detected in a predetermined number or more groups, all the switching units 13 may be turned off. Even by such communication blocking, the above-mentioned effect of blocking the inflow of malicious messages from the group in which the communication abnormality is detected to another group can be obtained. Further, under the above conditions, if the risk to safety is low, the restriction of the function due to the communication interruption in the in-vehicle network system 10 is suppressed, so that the convenience for the user is maintained to some extent, which is dangerous. Safety is ensured when the risk is high.

As described above, when the determination unit 11 determines to execute the predetermined communication cutoff as illustrated above (from Yes in step S24 to step S26), the determination unit 11 controls the switching unit 13 to execute the predetermined communication cutoff. (Step S28).

If the communication cutoff is not executed (No in step S24), the message of the data may be received by the gateway 20 or discarded depending on the content of the communication abnormality detected in step S22. ..

Further, even if information related to the communication abnormality such as the time when the communication abnormality occurs, the domain, the type of abnormality, the message transmitted due to the communication abnormality, and the content of the processing after detection is recorded in the log stored in the storage unit 12. good. Further, all or part of the information regarding these communication abnormalities may be output to the outside from the TCU 70 or the OBD2 port 80 via the gateway 20.

[1-4. effect]
The communication blocking system 100 in the vehicle-mounted network system 10 including a plurality of groups and capable of transmitting and receiving data between the groups includes a communication unit 14, a determination unit 11, and a switching unit 13.

The communication unit 14 receives data from a plurality of communication devices such as ECUs included in the first group via a communication line included in the first group, which is a plurality of groups.

The determination unit 11 detects a communication abnormality in the group based on the data received by the communication unit 14, and executes a predetermined communication interruption between the plurality of groups based on the content of the detected communication abnormality. Decide whether to do it or not.

When the determination unit 11 determines that the predetermined communication cutoff is executed, the switching unit 13 executes the predetermined communication cutoff.

This predetermined communication interruption includes blocking the inflow of malicious messages from the group in which a communication abnormality is detected to other groups.

As a result, it is possible to suppress the adverse effect of the communication abnormality from the group in which the communication abnormality is detected to the other groups and the gateway 20 that transfers data between the groups. Further, it is possible to suppress the adverse effect of a cyber attack on the other group and the gateway 20 from the group including the communication device in the group or the communication device included in the other group to impersonate the communication device.

Further, the communication unit 14 receives data from the communication devices included in each of the plurality of groups, and the determination unit 11 is a second group which is a group other than the first group which is one of the plurality of groups. When a communication abnormality is detected in, it may be decided to block the inflow of data transmitted from the second group to the first group as a predetermined communication cutoff.

As a result, with respect to the first group, it is possible to suppress the adverse effect of the communication abnormality occurring in any of the other groups, for example, the inflow of illegal data including the falsified data value. For example, if the group with a high need for protection is set as the first group, it is possible to enhance the safety of the vehicle against the threat of safe driving due to information disturbance.

Further, the predetermined communication interruption may be a complete interruption of data transmission / reception between a plurality of groups.

As a result, regardless of whether the spoofing by the unauthorized communication device generated on the in-vehicle network system 10 is performed within the group or between the groups, the adverse effect in the in-vehicle network system 10 is quickly spread. And it can be suppressed more reliably. In particular, regardless of which group in which the communication abnormality is detected, the safety of the domain of the drive system is ensured more reliably, so that the vehicle can be evacuated more reliably, which will be described later. In addition, by eliminating the mutual influence between domains, it is possible to accurately grasp the communication status of each domain, that is, the presence or absence of an abnormality. In addition, since the procedure for returning to the normal state can be standardized, there is a high possibility that the return to the normal state can be reliably performed in a shorter time, and the time required to complete the return can be predicted more accurately.

(Modification example)
The technique according to the present invention is not limited to the above-described embodiment as an example of the technique according to the present invention, and can be appropriately applied to modifications thereof due to changes, replacements, additions, omissions, and the like. For example, the following modifications are also included in one embodiment of the present invention.

[2-1. Modification 1]
The technique according to the present invention can also be applied to an autonomous vehicle. In the autonomous driving vehicle to which this technique is applied, evacuation from the traveling zone may be further executed. Hereinafter, the communication blocking system according to the first modification of the embodiment will be described focusing on the difference from the embodiment.

[2-1-1. composition]
FIG. 3 is a diagram for explaining a configuration example of the in-vehicle network system 10A including the communication blocking system 100A according to the present modification. The in-vehicle network system 10A is an in-vehicle network system included in the autonomous driving vehicle. It should be noted that illustration and description of the components that provide the automatic driving function during normal driving will be omitted.

The communication cutoff system 100A includes a determination unit 11A instead of the determination unit 11 of the embodiment. The determination unit 11A is an evacuation control unit 300 included in the drive system domain 30A in this modification, and a communication line 900 which is a jiga line (dedicated communication line) for securing a communication path that is not affected by a cyber attack. It is connected.

The evacuation control unit 300 is realized, for example, by executing a program on the ECU that provides a function for causing an autonomous driving vehicle equipped with an in-vehicle network system 10A to execute evacuation.

The control target by this program depends on the level of automation of the self-driving car. The explanation of this modification assumes automation of so-called level 3 (conditional automatic driving) or higher in which steering and acceleration / deceleration are controlled by the automatic driving function. That is, even without the driving operation of the user (driver), the evacuation control unit 300 included in the drive system domain 30A controls the steering and acceleration / deceleration using the result of external object recognition to evacuate the autonomous vehicle to the shoulder or the like. Is executed.

As an example of evacuation control in an autonomous vehicle with a lower level of automation, it is suitable for assisting the driver in driving operation for evacuation, issuing a warning prompting the driver to start driving operation for evacuation, or evacuation. Controls for providing information to guide the driver to a certain position can be mentioned. The installation location of the evacuation control unit that performs such evacuation control is not limited to the drive system domain. Further, the issuance of a warning regarding evacuation or the provision of information may be provided as a function in a vehicle having no automatic driving function.

When the determination unit 11A determines to execute a predetermined communication interruption based on the content of the detected communication abnormality, the determination unit 11A further determines whether or not to evacuate the vehicle based on the content of the communication abnormality. This determination may be made according to the score or rank associated with the various communication anomalies, for example illustrated in the embodiments.

The determination unit 11A determined to evacuate outputs an instruction to execute the evacuation by the automatic operation function to the evacuation control unit 300 via the communication line 900.

[2-1-2. motion]
Next, the operation of the communication blocking system 100A according to the present modification having the above configuration will be described. FIG. 4 is a flow chart showing an example of a series of processing procedures by the communication blocking system 100A in the in-vehicle network system 10A. In the flow chart of FIG. 4, common reference numerals are given to the processes common to those of the embodiment. Hereinafter, the differences from the embodiments will be mainly described.

The determination unit 11A, which controls the switching unit 13 in step S28 to execute a predetermined communication interruption, determines whether or not to evacuate the vehicle based on the content of the detected communication abnormality (step S40).

When it is determined to evacuate the vehicle (Yes in step S40), the determination unit 11A outputs an instruction to execute the evacuation by the automatic driving function to the evacuation control unit 300 via the communication line 900 (step S42). Upon receiving this instruction, the evacuation control unit 300 executes evacuation by automatic operation (step S44).

When it is determined not to evacuate the vehicle (No in step S40), the process at the time of detecting a communication abnormality ends.

Although not shown in the flow chart, information regarding the determination in step S40 may be recorded or output to the log.

[2-1-3. effect]
In the in-vehicle network system 10A provided in an automobile having an automatic driving function including a function for executing evacuation, when the determination unit 11A decides to execute a predetermined communication interruption, further based on the content of the detected communication abnormality. You may decide whether or not to evacuate the vehicle. When it is determined to evacuate the automobile, the determination unit 11A outputs an instruction to evacuate the automobile by automatic driving.

As a result, when the safety of driving of the vehicle cannot be sufficiently ensured only by blocking communication, the vehicle can be stopped by automatic driving.

[2-2. Modification 2]
In an autonomous vehicle that can also be manually driven, it can be assumed that manual driving is possible for safer evacuation depending on the condition of the vehicle or the content of the communication abnormality. Assuming such a case, the communication cutoff system 100B according to the present modification may be configured so that the evacuation by the automatic operation function is not executed by the decision of the occupant or the determination unit. Hereinafter, the communication blocking system according to the second modification of the embodiment will be described focusing on the difference from the first modification of the embodiment.

[2-2-1. composition]
FIG. 5 is a diagram for explaining the configuration of the in-vehicle network system 10B including the communication blocking system 100B according to the present modification. The in-vehicle network system 10B is an in-vehicle network system provided in an autonomous vehicle capable of manual driving. It should be noted that illustration and description of the components that provide the automatic driving function and the manual driving function during normal driving will be omitted.

The communication cutoff system 100B includes a determination unit 11B instead of the determination unit 11 of the embodiment. Further, the communication blocking system 100B further includes a storage unit 12B instead of the storage unit 12. The storage unit 12B includes a setting holding unit 120. The setting holding unit 120 holds a setting regarding whether or not to execute the evacuation of the automobile by the automatic driving function. This setting may be input by the occupant of the vehicle or may be input by the determination unit 11B. The input by the determination unit 11B is performed by reflecting whether or not the evacuation can be executed by the automatic driving function according to, for example, the situation of the vehicle or the content of the detected communication abnormality.

Whether or not the determination unit 11B holds the setting for causing the setting holding unit 120 to execute the evacuation of the vehicle by the automatic driving function before issuing the instruction to the evacuation control unit 300 to execute the evacuation by the automatic driving function. To confirm. If the setting for issuing the evacuation execution instruction by the automatic operation function is not held, the setting holding unit 120 does not issue the evacuation execution instruction. When the setting for issuing the evacuation execution instruction by the automatic operation function is held, the setting holding unit 120 issues the evacuation execution instruction in the same manner as the determination unit 11A in the first modification.

[2-2-2. motion]
Next, the operation of the communication blocking system 100B according to the present modification having the above configuration will be described. FIG. 6 is a flow chart showing an example of a series of processing procedures by the communication blocking system 100B in the in-vehicle network system 10B. In the flow chart of FIG. 6, common reference numerals are given to the processes common to those of the embodiment and the first modification thereof. Hereinafter, the differences from the embodiment or the modification 1 thereof will be mainly described.

The determination unit 11B, which has determined in step S40 to evacuate the switching unit 13 vehicle, confirms whether or not the setting holding unit 120 holds the setting for executing the evacuation of the vehicle by the automatic driving function (step S41).

When the setting is held (Yes in step S41), the determination unit 11B outputs an instruction to execute the evacuation by the automatic operation function to the evacuation control unit 300 via the communication line 900 (step S42). Upon receiving this instruction, the evacuation control unit 300 executes evacuation by automatic operation (step S44).

If the setting is not retained (No in step S41), the process at the time of detecting a communication abnormality ends. Further, in this case, although not shown in the flow chart, the occupant may be instructed to execute evacuation by manual operation, an alarm prompting evacuation may be issued, or information to assist evacuation may be provided. ..

Although not shown in the flow chart, information regarding the decision in step S41 may be recorded or output to the log.

[2-2-3. effect]
The communication cutoff system 100B provided for a vehicle having an automatic driving function and capable of manual driving further includes a setting holding unit 120 for holding a setting regarding whether or not to execute the evacuation of the vehicle by the automatic driving function. You may. The determination unit 11B included in the communication cutoff system 100B does not output an instruction to execute the evacuation by the automatic driving function when the setting holding unit 120 does not hold the setting for executing the evacuation of the automobile by the automatic driving function.

As a result, when the safety of driving of the automobile cannot be sufficiently ensured only by blocking the communication, the user can drive and continue or stop the driving.

It should be noted that the technique according to this modification applies to the driver even if the vehicle is manually driven without the automatic driving function, when the judgment regarding the evacuation of the vehicle (step S40) is Yes when the communication abnormality is detected. It can be applied in the form of instructing evacuation by manual operation.

[2-3. Modification 3]
In the description of the embodiment, the effect of redundant communication blocking such as communication between groups other than the group in which the communication abnormality is detected or communication between groups is completely blocked is mentioned. However, in the communication blocking system according to the present invention, the inflow of data between the groups once blocked by detecting the communication abnormality may be resumed, that is, the restoration of the communication between the groups may be further executed.

For example, as shown in FIG. 1, it is assumed that the communication unit 14 can receive data from the corresponding group even when the switching unit 13 is in the off state. The determination unit 11 that once turned off the switching unit 13 due to a predetermined communication interruption further determines whether or not a communication abnormality has occurred based on the data of the group corresponding to the switching unit 13 received by the communication unit 14. do. When a communication abnormality has not occurred, the blockage of the inflow of data transmitted from the group to another group may be excluded from the predetermined communication blockage, that is, the communication blockage may be canceled.

As a result, the restriction of the function due to the communication interruption is relaxed, and the deterioration of convenience for the user can be suppressed even when a communication abnormality occurs. For example, in order to ensure safer running of the vehicle, redundant communication interruption may be once executed as a predetermined communication interruption. In particular, when all the switching units 13 are turned off, the functional restrictions are typically strict, and the convenience of the user is greatly reduced. However, in this way, based on the data received by the communication unit 14, the group in which the communication abnormality is not detected is identified, and the data from the group flows into the other group via the gateway 20 again. By executing the return processing that enables it, it is possible to improve the convenience of the user, which has once deteriorated.

Such an operation may be performed by the determination unit 11A of the above-mentioned modification 1 or the determination unit 11B of the modification 2. Further, as a result of the relaxation of the function restriction by such a determination, the vehicle that has been evacuated and stopped may be returned to the state in which the vehicle can run again.

[2-4. Modification 4]
In the embodiment in which the vehicle is evacuated from the traveling zone and stopped when a communication abnormality is detected as in the communication cutoff system 100A according to the first modification, the vehicle may be further controlled to move from outside the vehicle. good.

As a result, it is possible to move the evacuated vehicle as necessary because it is not possible to drive safely by automatic or manual operation control on the vehicle.

[2-4-1. composition]
FIG. 7 is a diagram for explaining a configuration example of the in-vehicle network system 10C including the communication blocking system 100C according to the present modification. The in-vehicle network system 10C is an in-vehicle network system provided in an autonomous vehicle. Components that provide the manual driving function may or may not be further provided in this self-driving vehicle. Hereinafter, the communication blocking system according to this modification will be described focusing on the difference from the modification 1 of the embodiment.

The communication blocking system 100C includes an external communication unit 15 in addition to the configuration of the communication blocking system 10A of the first modification.

The external communication unit 15 is communicably connected to each communication unit 14. Further, the external communication unit 15 communicates with a system (not shown) capable of externally controlling the vehicle equipped with the in-vehicle network system 10C, for example, an information processing system of SOC, via the gateway 20 and the TCU 70. Hereinafter, the communication destination of the external communication unit 15 will be described assuming that this information processing system is used.

The external communication unit 15 collects information on each group via the communication unit 14. An example of the information that can be collected here (hereinafter referred to as vehicle information) is a communication log between communication devices included in the group. In addition, the operation log of the device connected to these communication devices, the information acquired by the operation of the device, for example, the image around the vehicle, the result of object recognition, the position information of the vehicle, the time information, and the like may be included. .. Then, the vehicle information is transmitted to the information processing system.

In the information processing system, the control content for moving the vehicle is determined based on the vehicle information provided by the external communication unit 15 from the stopped vehicle, and the control signal for executing this control is transmitted to the vehicle. Send to. That is, this information processing system executes remote control of a vehicle stopped for evacuation.

The external communication unit 15 receives this control signal via the TCU 70 and the gateway 20, and transfers the control signal to a domain corresponding to a function required for traveling of the vehicle, such as a drive system domain, via the communication unit 14.

As a result, after the vehicle is stopped for evacuation, it is possible to re-move the vehicle in a state where it cannot be controlled for re-movement either by the in-vehicle system or manually.

The external communication unit 15 does not directly collect vehicle information by communicating with each communication unit 14, but acquires data once stored in the storage unit 12 from the communication unit 14 and provides it to an external information processing system. You may.

Further, the external communication unit 15 may process the collected vehicle information and then provide it to an external information processing system. Examples of this process include extraction of necessary parts and information-based determination of the vehicle or surrounding conditions.

Further, the external communication unit 15 as described above can be combined with the communication blocking system according to the modification 2 or the modification 3.

Further, the external information processing system may further determine whether or not the vehicle can be remotely controlled based on the received vehicle information. If it is determined that remote control is not possible, for example, the information processing system may make a report for arranging a road service. FIG. 8 is a sequence diagram showing a series of processing procedures up to this notification.

First, vehicle information is transmitted from the external communication unit 15 of the vehicle that has been evacuated and stopped to an information processing system such as SOC (step S80).

In the information processing system, it is determined whether or not the vehicle can be remotely controlled based on the received vehicle information (step S81).

When remote control is possible (Yes in step S81), the control signal is transmitted from the information processing system to the vehicle (step S82).

When remote control is not possible (No in step S81), the information processing system notifies the road service provider (step S83). Here, the information processing system also provides the road service provider with information on the position of the vehicle, the vehicle type, the details of the trouble, and the like.

The road service provider who received the report dispatches a person in charge to the vehicle (step S84).

As described above, the communication cutoff system 100C for evacuating the automobile from the traveling zone depending on the communication abnormality on the in-vehicle network system includes an external communication unit 15 capable of communicating with an external information processing system.

When the vehicle is evacuated according to the determination of the determination unit 11A, the external communication unit 15 receives information about the data received from the communication device included in the group in which the data transmitted to the other group is blocked by the predetermined communication interruption. The vehicle information is acquired, and the acquired vehicle information is transmitted to an external information processing system.

As a result, when the vehicle is stopped because the driving safety cannot be sufficiently ensured only by blocking the communication, it is possible to provide the support system outside the vehicle with information on the situation of the vehicle.

Further, the external communication unit 15 may receive a signal for remotely controlling the traveling of the vehicle from the information processing system outside the vehicle.

As a result, the automobile once stopped for ensuring safety can be moved by remote control.

[2-5. Other variants]
(1) The data received by the communication unit 14 and provided to the determination unit 11 may be data that the determination unit 11 can detect a communication abnormality on the domain or the communication line, from all the communication devices included in each domain. It does not have to be the data to be transmitted. For example, data may be received from only a part.

(2) The plurality of communication units 14 corresponding to each group may not be physically independent of each other, or may be logically independent of each other. Similarly, the plurality of switching units 13 may be logically independent.

(3) Each in-vehicle network system illustrated above includes four domains, but the number of domains on the in-vehicle network system is not limited to this. Further, the communication of all the plurality of domains may not be the target of blocking by the communication blocking system according to the present invention or the monitoring for that purpose, and only a part thereof may be the target.

(4) In the in-vehicle network system to which the communication blocking system according to the present invention can be applied, each DCU can be integrated, and each of the above-mentioned communication blocking systems is further integrated with the integrated DCU. Realization is also possible. Further, it may be realized as an in-vehicle computer or a function thereof in a form integrated with a gateway.

(5) The format of the data transmitted / received by the in-vehicle network system that communicates according to the CAN protocol in the above embodiment and its modified example may be either a standard ID format or an extended ID format.

(6) The above CAN protocol is understood in a broad sense including derivative protocols such as TTCAN (Time-Triggered CAN) and CANFD (CAN with Flexible Data Rate). Further, the network used for communication between ECUs in the in-vehicle network system to which the communication blocking system according to the present invention can be applied is not limited to the network according to the CAN protocol. For example, protocols other than CAN used in a network for an ECU to send and receive communication data include, for example, Ethenet (registered trademark), LIN (Local Interconnect Network), MOST (registered trademark) (Media Oriented Systems Transport), and FlexRay. (Registered trademark), a network according to the Broader reach protocol, etc. may be used.

(7) Each ECU in the above embodiment is a device including, for example, a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, etc., but includes a hard disk device, a display, and other hardware components. It may be. Further, each component shown in the above embodiment has its function by a dedicated hardware (digital circuit or the like) instead of the program stored in the storage device being executed by the processor and realized by software. It may be realized.

(8) The functional division between the components shown in the communication blocking system according to the present invention is an example for convenience of explanation, and the mutual division may be arbitrarily changed, and the functional components may be changed. It may be further subdivided.

(9) Execution of the various processing procedures (for example, the procedures shown in FIGS. 2, 4 and 6) shown in the above embodiment is not necessarily limited to the above-mentioned order, and the gist of the invention You may change the order, perform multiple steps in parallel, or omit some of the steps, as long as they do not deviate from or cause inconsistency. For example, in the procedure shown in FIG. 6, confirmation of holding the setting for executing the evacuation of the vehicle (step S41) may be performed before the determination of the execution of the vehicle evacuation (step S40).

(10) A part or all of the components constituting each device in the above embodiment may be composed of one system LSI (Large Scale Integration: large-scale integrated circuit). The system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on one chip, and specifically, is a computer system including a microprocessor, a ROM, a RAM, and the like. .. A computer program is recorded in the ROM. When the microprocessor operates according to the computer program, the system LSI achieves its function.

Further, each part of the component component constituting each of the above devices may be individually integrated into one chip, or may be integrated into one chip so as to include a part or all of the components. Further, although the system LSI is used here, it may be referred to as an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of integration. Further, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. An FPGA (Field Programmable Gate Array) that can be programmed after the LSI is manufactured, or a reconfigurable processor that can reconfigure the connection and settings of circuit cells inside the LSI may be used. Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. The application of biotechnology, etc. is possible.

(11) A part or all of the components constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system composed of a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the above-mentioned super multifunctional LSI. When the microprocessor operates according to a computer program, the IC card or the module achieves its function. This IC card or this module may have tamper resistance.

(12) One aspect of the present invention may be an information processing method including all or part of the processing procedure shown in, for example, FIG. 2, FIG. 4, or FIG.

Further, as one aspect of the present invention, it may be a program (computer program) for realizing predetermined information processing related to this information processing method by a computer, or it may be a digital signal composed of the program.

Further, as one aspect of the present invention, a recording medium that can be read by a computer that has recorded the above computer program or digital signal, for example, a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, or a DVD-RAM. , BD (Blu-ray® Disc), semiconductor memory and the like.

In addition, as one aspect of the present invention, the above is transmitted via a digital signal recorded on these recording media, a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Program or digital signal.

Further, one aspect of the present invention is a computer system including a microprocessor and a memory, in which the memory records the above program, and the microprocessor operates according to the program. May be good. Further, another independent computer by recording the above program or digital signal on the above recording medium and transferring it, or by transferring the above program or digital signal via the above network or the like. It may be implemented by the system.

(13) The scope of the present invention also includes a form realized by arbitrarily combining the above-described embodiment and each component and function shown in the above-described modification.

INDUSTRIAL APPLICABILITY The present invention can be used in an in-vehicle network system for an ECU mounted on a vehicle to communicate, and is useful for improving the safety of the network and, by extension, the running safety of the vehicle.

10, 10A, 10B, 10C In-vehicle network system 11, 11A, 11B Judgment unit 12 Storage unit 13, 13A, 13B, 13C, 13D Switching unit 14, 14A, 14B, 14C, 14D Communication unit 15 External communication unit 20 Gateway 30, 30A drive system domain 31, 41, 51, 61 DCU (communication device)
32, 33, 42, 43, 52, 53, 62, 63 ECU (communication device)
40 ADAS domain 50 Body domain 60 Infotainment domain 70 TCU
80 OBD2 port 91, 92, 93, 94, 900 Communication line 100, 100A, 100B, 100C Communication cutoff system 120 Setting holding unit 300 Evacuation control unit

Claims (11)

In an in-vehicle network system capable of transmitting and receiving data between a plurality of groups including a plurality of communication devices and a communication line to which the plurality of communication devices are connected.
A communication unit that receives data from at least a part of the plurality of communication devices included in the first group via the communication line included in the first group among the plurality of groups.
Whether to detect a communication abnormality in the first group based on the data received by the communication unit and execute a predetermined communication interruption between the plurality of groups based on the content of the detected communication abnormality. Judgment department to decide whether or not,
When the determination unit determines to execute a predetermined communication cutoff, it is provided with a switching unit that executes the predetermined communication cutoff.
Predetermined communication blockade viewed including the blocking of the inflow into the first group except a group of data sent from said first group,
The vehicle equipped with the in-vehicle network system has an automatic driving function including a function for executing evacuation.
The judgment unit
When it is determined to execute the predetermined communication interruption, it is determined whether or not to evacuate the vehicle based on the content of the detected communication abnormality.
When it is decided to evacuate the vehicle, an instruction to execute evacuation by automatic driving is output.
Communication blocking system. The communication unit receives data from at least a part of the plurality of communication devices included in each of the plurality of groups, and receives data from the communication unit.
The determination unit detects a communication abnormality in each of the plurality of groups based on the data received by the communication unit, and communicates in a second group other than the first group among the plurality of groups. When an abnormality is detected, it is determined that, as the predetermined communication interruption, the inflow of data transmitted from the second group to the first group is blocked.
The communication blocking system according to claim 1. The predetermined communication cutoff is a cutoff of data transmission / reception between the first group and all groups other than the first group.
The communication blocking system according to claim 1. The communication unit includes at least a part of a plurality of communication devices included in a second group other than the first group, and a plurality of communication devices included in a third group other than the first group and the second group. Receives data from at least some of its communication devices
The determination unit detects a communication abnormality in each of the second group and the third group based on the data received by the communication unit.
When the determination unit detects a communication abnormality in the second group and determines that the detected communication abnormality is not in the third group, in the predetermined communication interruption, the determination unit and the first group The interruption of transmission / reception to / from the second group is maintained, and the interruption of the inflow of data transmitted from the third group to the first group is released.
The communication blocking system according to claim 3. The predetermined communication interruption is a complete interruption of data transmission / reception between the plurality of groups.
The communication blocking system according to claim 1. The communication unit receives data from at least a part of a plurality of communication devices included in a second group other than the first group, and receives data.
The determination unit detects a communication abnormality in the second group based on the data received by the communication unit, and detects a communication abnormality in the second group.
When the determination unit determines that the detected communication abnormality is not in the second group, the inflow of data transmitted from the second group to another group from the predetermined communication interruption is performed. Release the block,
The communication blocking system according to claim 5. In an in-vehicle network system capable of transmitting and receiving data between a plurality of groups including a plurality of communication devices and a communication line to which the plurality of communication devices are connected.
A communication unit that receives data from at least a part of the plurality of communication devices included in the first group via the communication line included in the first group among the plurality of groups.
Whether to detect a communication abnormality in the first group based on the data received by the communication unit and execute a predetermined communication interruption between the plurality of groups based on the content of the detected communication abnormality. Judgment department to decide whether or not,
When the determination unit determines to execute a predetermined communication cutoff, it is provided with a switching unit that executes the predetermined communication cutoff.
The predetermined communication interruption includes blocking the inflow of data transmitted from the first group to a group other than the first group.
The vehicle equipped with the in-vehicle network system can be manually driven.
When the determination unit determines to evacuate the vehicle, the determination unit outputs an instruction to execute the evacuation by the manual operation to the occupant of the vehicle.
Communication cut-off system. Further, it is provided with an external communication unit capable of communicating with an information processing system outside the in-vehicle network system.
When the evacuation is executed according to the decision of the determination unit,
The external communication unit transmits to the information processing system information about data received from at least a part of the plurality of communication devices included in the group in which the data to be transmitted to another group is blocked by the predetermined communication interruption. ,
The communication blocking system according to any one of claims 1 to 7. The external communication unit receives a signal for remote control of the vehicle from the information processing system.
The communication blocking system according to claim 8. In an in-vehicle network system capable of transmitting and receiving data between a plurality of communication devices and a plurality of groups including a communication line to which the plurality of communication devices are connected, a processor included in the information processing device connected to the in-vehicle network system. It is a communication blocking method executed by
Data is received from at least a part of the plurality of communication devices included in the first group via the communication line included in the first group.
Whether or not to detect a communication abnormality in the first group based on the received data and execute a predetermined communication interruption between the plurality of groups based on the content of the detected communication abnormality. Decide and
If it is decided to execute the predetermined communication cutoff, the predetermined communication cutoff is executed, and the predetermined communication cutoff is executed.
Predetermined communication blockade viewed including the blocking of the inflow into the first group except a group of data sent from said first group,
The vehicle equipped with the in-vehicle network system has an automatic driving function including a function for executing evacuation.
When it is determined to execute the predetermined communication interruption, it is determined whether or not to evacuate the vehicle based on the content of the detected communication abnormality.
When it is decided to evacuate the vehicle, an instruction to execute evacuation by automatic driving is output.
Communication blocking method. A program for causing the processor to execute the communication blocking method according to claim 10.

Images